Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Jamf Protect - Alerts

Back
Id6098daa0-f05e-44d5-b5a0-913e63ba3179
RulenameJamf Protect - Alerts
DescriptionCreates an incident based on Jamf Protect Alert data in Microsoft Sentinel
SeverityHigh
Required data connectorsJamfProtect
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
Version1.0.6
Arm template6098daa0-f05e-44d5-b5a0-913e63ba3179.json
Deploy To Azure
jamfprotectalerts_CL
| extend
    algorithm = "SHA256",
    Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
    Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
    Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
    Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
    JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
severity: High
kind: NRT
requiredDataConnectors:
- dataTypes:
  - jamfprotectalerts_CL
  connectorId: JamfProtect
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
alertDetailsOverride:
  alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
  alertSeverityColumnName: EventSeverity
  alertDynamicProperties:
  - alertProperty: ProviderName
    value: EventVendor
  - alertProperty: ProductName
    value: EventProduct
  - alertProperty: Techniques
    value: Techniques
  alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
  alertTacticsColumnName: Tactics
relevantTechniques: 
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DvcHostname
    identifier: HostName
  - columnName: DvcOs
    identifier: OSFamily
  - columnName: DvcOsVersion
    identifier: OSVersion
- entityType: IP
  fieldMappings:
  - columnName: Host_IPs
    identifier: Address
- entityType: Process
  fieldMappings:
  - columnName: TargetProcessCurrentDirectory
    identifier: CommandLine
  - columnName: TargetProcessId
    identifier: ProcessId
- entityType: FileHash
  fieldMappings:
  - columnName: algorithm
    identifier: Algorithm
  - columnName: TargetBinarySHA256
    identifier: Value
name: Jamf Protect - Alerts
description: |
    'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
status: Available
customDetails:
  TargetbinarySign: TargetbinarySignerType
  Protect_Event_Type: EventType
  Protect_Tags: Tags
  Related_File_hash: TargetBinarySHA256
  TargetBinarySignMsg: TargetBinarySigningInfoMessage
  Related_Binaries: TargetBinaryFilePath
  Protect_Analytic: EventMessage
  TargetBinarySigner: TargetBinarySigningTeamID
  JamfPro_Status: JamfPro
query: |
  jamfprotectalerts_CL
  | extend
      algorithm = "SHA256",
      Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
      Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
      Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
      Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
      JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")  
version: 1.0.6
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    matchingMethod: AllEntities
    reopenClosedIncident: false
    lookbackDuration: PT5H
suppressionEnabled: false
suppressionDuration: PT5H
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics: 
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{EventResultMessage}} - Please investigate",
          "alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "EventVendor"
            },
            {
              "alertProperty": "ProductName",
              "value": "EventProduct"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            }
          ],
          "alertSeverityColumnName": "EventSeverity",
          "alertTacticsColumnName": "Tactics"
        },
        "alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
        "customDetails": {
          "JamfPro_Status": "JamfPro",
          "Protect_Analytic": "EventMessage",
          "Protect_Event_Type": "EventType",
          "Protect_Tags": "Tags",
          "Related_Binaries": "TargetBinaryFilePath",
          "Related_File_hash": "TargetBinarySHA256",
          "TargetbinarySign": "TargetbinarySignerType",
          "TargetBinarySigner": "TargetBinarySigningTeamID",
          "TargetBinarySignMsg": "TargetBinarySigningInfoMessage"
        },
        "description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
        "displayName": "Jamf Protect - Alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              },
              {
                "columnName": "DvcOs",
                "identifier": "OSFamily"
              },
              {
                "columnName": "DvcOsVersion",
                "identifier": "OSVersion"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Host_IPs",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "TargetProcessCurrentDirectory",
                "identifier": "CommandLine"
              },
              {
                "columnName": "TargetProcessId",
                "identifier": "ProcessId"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "algorithm",
                "identifier": "Algorithm"
              },
              {
                "columnName": "TargetBinarySHA256",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
        "query": "jamfprotectalerts_CL\n| extend\n    algorithm = \"SHA256\",\n    Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n    Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),\n    Tactics = case(input.match.tags has \"Execution\", \"Execution\", input.match.tags has \"Visibility\", \"Visibility\", input.match.tags has \"Persistence\", \"Persistence\", input.match.tags has \"LateralMovement\", \"LateralMovement\", input.match.tags has \"CredentialAccess\", \"CredentialAcccess\", input.match.tags has \"DefenseEvasion\", \"DefenseEvasion\", input.match.tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", input.match.tags has \"Impact\", \"Impact\", input.match.tags has \"CommandAndControl\", \"CommandandControl\", input.match.tags has \"Discovery\", \"Discovery\", input.match.tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n    Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(input.match.tags))),\n    JamfPro = case(input.match.actions has \"SmartGroup\", \"Workflow with Jamf Pro\", input.match.actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "templateVersion": "1.0.6"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}